Lord Strasburger: My Lords, I apologise before appearing—or, more precisely, not appearing—before your Lordships in this manner, but I understand that there has been a failure in the parliamentary network and I cannot appear in video; it was either by telephone or smoke signals, so I will settle for the phone.
I should begin by declaring my interest as chair of Big Brother Watch, which campaigns for the privacy and freedom of speech of the citizens of our country and seeks to protect them from unwarranted intrusion by the state into their lives and their data. Big Brother Watch has managed to rapidly prepare a briefing for parliamentarians about this Bill, and I commend it to Members of this House. It sets out five areas of concern, which I will cover later in my contribution.
However, Big Brother Watch had to work at pace to complete the briefing for this Second Reading because the Government published the Bill only on 8 November, just eight working days ago. I wonder what the reason could be for this rushed processing. Could it be that the Government want to avoid the thorough examination that this detailed and complex Bill needs? If so, the small number of Members who are ready to speak about it today—just 11, including the Minister—suggests that this strategy might have worked. Therefore, my first question for the Minister is to ask for an explanation of why so little time has been given to prepare for this Second Reading.
I sat on the Joint Committee that carried out the pre-legislative scrutiny of the original Investigatory Powers Bill in 2015 and 2016. The noble Lord, Lord Murphy of Torfaen, whom I am pleased to follow in this debate, was the chair of that committee and a very good job he did too. My view eight years ago was, and still is, that bulk data collection—that is, the interception or collection and indefinite storage of everybody’s innocent internet, phone and computer communication—is a serious intrusion on every citizen’s privacy and requires very strong judicial oversight.
Those who support this mass surveillance seek to reassure us by saying that if you have nothing to hide you have nothing to fear. However, in truth do we not all have something to hide that we would prefer to keep to ourselves? That is why we shut the toilet or bedroom door behind us. That is why we do not speak in public about troubling issues in our family or friendship circle such as addictions, unwanted pregnancies, financial woes and the like. There are some things that we just feel are private—the kind of information that, in the wrong hands, can be used to demean or blackmail any of us. That detailed knowledge about every individual in the country could be used by an unscrupulous Government—who are considering ignoring laws and treaties, for example, if that rings any bells. They could use it to identify all citizens of a particular religion, political persuasion, sexual proclivity or whatever, to single them out for disadvantageous treatment or worse—much worse.
The state is collecting this personal information about us all and we cannot predict who in a future Government will get their hands on it and might totally misuse it. All I can say with certainty is that East Germany’s Stasi would have thought that every day was Christmas if it could have laid its hands on such a rich source of intimate data about all its citizens. Therefore, we must achieve a balance between the privacy needs and rights of individual citizens and protection of those same citizens from terrorists and serious and organised crime. It is not an easy balance to get right. I fear that the Government are still erring in favour of capturing too much data about innocent citizens—of course, the vast majority of us.
There is another very strong reason for not engaging in the collection of everyone’s data. The problem is that the useful information about terrorism or organised crime gets buried in a blizzard of useless data about the vast majority of us who are innocently going about our lives. In 2016, the Joint Committee on the Draft Investigatory Powers Bill heard startling evidence  about the problem that this causes for security services from a gentleman called Bill Binney, a retired technical director of the United States National Security Agency and a bit of a folk hero in the intelligence community because he predicted with great accuracy when the Russians would invade Afghanistan just by analysing the patterns of their military signals. However, later in his career Mr Binney concluded that the NSA’s policy of collecting the data of all American citizens was unconstitutional, so his team devised software called ThinThread. It used smart collection to pick out for inspection only the communications of known terrorists, those they were talking to—and who those people were talking to.
The management of the NSA instead chose to go down the road of collecting 100% of the data through a highly expensive project, Trailblazer—which was later abandoned—and ignoring Bill Binney’s method of giving the analysts a much smaller but richer and more relevant set of data. The consequence was that the NSA missed the data that it already had in its systems which would have alerted it to the plot to attack the twin towers on 9/11. If only the NSA had known that it had it and had looked at it. We know that the NSA did have it because shortly after 9/11, Mr Binney’s team ran its ThinThread software against the NSA’s database at the time of 9/11 and found six of the 9/11 conspirators and their command centres. Mr Binney shocked the committee by revealing that 9/11 could, and should, have been prevented—if only the American security analysts had not been swamped with useless information.
The price paid by the American people for their security services’ predilection for bulk data collection was very high indeed. Yet here we have in this Bill the continuation of that folly by our own intelligence services. I invite noble Lords to recall the terrorist attacks of the last 20 years and that, almost every time, it was later revealed that the perpetrators were known to the police or the intelligence services. Our people being swamped with irrelevant data must have contributed to the failure to further investigate these suspects before they acted.
The Government will no doubt argue that the advent of artificial intelligence makes it more possible for them to search for needles in haystacks. That may well be so, but some of that advantage will be negated by the massive explosion of data volumes they are now collecting from a wide variety of sources, especially social media and video. The fact remains that they are still holding, and have available for inquiry, huge amounts of data about all of us in this House and in this country—all of it at risk of being misused. Bill Binney’s solution was to immediately encrypt the 99.9% of the data that was of no interest to protect it from snooping, official or unofficial. In the UK we have none of that protection.
The Investigatory Powers Act, to the credit of the then Government, sought to reassure the public that there are limitations on the use of personal data by law enforcement and the security services, and how those limitations are policed. However, it is worth noting that it was also disclosed that several intrusive powers have been used on the British people for many years,  without any such constraint. That was because they had been in use without the consent or even the knowledge of Parliament. If it had not been for the brave whistleblowing of Edward Snowden, the contractor to the American National Security Agency, the scandal of the UK’s surveillance powers would not have been revealed to Parliament and may never have been addressed.
We need an Edward Snowden-type whistleblower every few years to keep our security services and our Government honest, because the safeguards that are in place to ensure compliance by the security services and prevent misuse of these highly intrusive powers seem to be inadequate, as illustrated by the TechEn case. This was a very serious breach of the statutory safeguards in the Investigatory Powers Act and the Regulation of Investigatory Powers Act 2000. It was the subject of the scathing judgment against the Security Service and the Home Office by the Investigatory Powers Tribunal in January this year. MI5 admitted that it had been aware, since May 2016, that there was a very high risk it was in breach of its statutory obligations concerning the holding of personal data under both Acts. It also admitted that it should have immediately reported to the Investigatory Powers Tribunal but failed to do this for three years.
The Investigatory Powers Tribunal found that
“there were serious failings in compliance with the statutory obligations of MI5 from late 2014 onwards”—
that is, two years earlier than MI5 admitted—and that those failings should
“have been addressed … by the Management Board”.
It was also strongly critical of the Home Office’s failure to inquire further into MI5’s long-standing compliance failures, after being made aware of them several times since 2016. The tribunal found that the Secretary of State breached their duty to make adequate inquiries as to whether the statutory safeguards were being met, and that warrants were issued after late 2014, through to 5 April 2019, that were unlawful and did not meet the safeguarding requirements imposed by the Investigatory Powers Act and RIPA. Other breaches of the safeguards were alleged, but we do not know the tribunal’s verdict on them because they were covered only in the secret part of the judgment.
As the noble Lord, Lord Anderson, whom I also thank for this thorough review, points out:
“MI5’s previous non-compliance has led to it being the subject of particularly rigorous oversight by IPCO with four extraordinary inspections taking place in 2019”.
He later warns that the TechEn case is a
“salutary reminder of the principle underlying the IPA: that exceptional powers require strong and independent external oversight”.
We would do well to remember those words when we come to consider the Bill in detail. There is clear, authoritative evidence that all is not well with the compliance mechanism in the Investigatory Powers Act. Some of us predicted this during the Bill’s consideration in this House. We also called for judicial authorisation to manage the risk of these suspicionless electronic surveillance powers, which are on a scale never seen before in a democracy. Instead, the Government set up a much weaker double-lock system, and now we see the consequences. So my second and third questions  for the Minister are: what are the Government’s plans to seriously improve compliance with the Investigatory Powers Act, and will they now recognise that the current supervision regime is failing and needs to be replaced with much stronger arrangements? On a related matter, my fourth question is: when will the Government introduce regulation of a highly intrusive technology that is running riot in policing and security with absolutely no rules, safeguards or oversight—namely, facial recognition?
I turn to this Bill. There are five primary concerns that will be covered in detail in future stages in this House. As has been discussed, it weakens the safeguards against the intelligence services collecting bulk datasets of personal information by potentially harvesting millions of facial images and mass social media data. The Bill’s creation of a vague and nebulous category of information where there is deemed to be a low or no reasonable expectation of privacy is a concerning departure from existing privacy law, in particular data protection law. Such an undefined category requires agencies that are motivated to process such data to adjust safeguards according to unqualified assertions about other people’s expectations of the privacy of their data. On the contrary, data protection law is constructed according to the sensitivity of the information rather than guesswork about the individual’s expectation of privacy concerning personal information. In my view, this provision needs to be worded more tightly.
It weakens safeguards when authorities harvest communications data—for example, membership of and Facebook posts to a racial equality group could be seen as data available to a section of the public as defined in this Bill, and therefore the authorities may wrongly believe that they consequently possess lawful authority to obtain associated communications data from the platform. Once again, more precise wording is needed.
Thirdly, it expressly permits the harvesting and processing of internet connection records for generalised mass surveillance, which is a much wider purpose than originally envisioned.
Fourthly, it increases the number of politicians who can authorise the surveillance of British parliamentarians and members of other domestic legislative bodies. Politicians are not above the law but, given their important constitutional role, spying on them must require the highest authority—namely, that of the Prime Minister.
Fifthly and finally, it attempts to force technology companies, including those overseas, to inform the Government of any plans to improve security or privacy measures on their platforms so that the Government can consider serving a notice to prevent such changes. I am sorry to say that the Government must be suffering from delusions of grandeur if they think that Apple, for example, will agree to desist from improving the privacy protection of its products or to produce an iPhone with downgraded privacy features especially for the UK. Superior privacy for its customers is one of Apple’s main selling features, and it is not going to forfeit that to please the current Government in a small part of its worldwide market.
We have much to discuss when this Bill reaches its Committee stage. In the meantime I look forward to hearing the Minister’s response to my four questions at the end of this debate.